NYCPHP Meetup

NYPHP.org

[nycphp-talk] Need some understanding about a hacker attack...

Brian Williams brianw1975 at gmail.com
Sat Oct 11 10:03:37 EDT 2008 

this totally sucks and i'm sorry to hear this happened.  It sounds like
you'll need a crash course in Apache configuration...

My advice to you is to do a couple things:

a) Most importantly, consider *finding a new host*, because
  1) they should have records of all connectivity to that server
  2) their system is obviously insecure and when it comes to server security
i believe that hosts have a '1 strike and you are out' grace period
  3) the hacker probably got in through ssh if he was able to set
permissions to the point where you were not able to delete them (they were
probably under ownership of the account he used to hack the system)

b) assuming that the .htaccess is local to the /xml directory only
  1) (if you haven't done so already) create a .htaccess file in the root
directory and put 'Options -Indexes in that
  2) IIRC this: "<files "*.*">Deny from All</files>" is useless because
"<files "*.*">Allow from 127.0.0.1 localhost</files>" will override it WITH
the following caveat: the *main* apache config has to have AllowOverride All
specified

The use of .htaccess files can be disabled completely by setting the
> AllowOverride<http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride>directive to
> none:
>

that means you could make changes to your .htaccess file all day long and
nothing will change (which i think is the problem on both machines, but not
exactly sure since I don't have specifics of file names, references to those
file names, etc)

  3) if your .htaccess file is working correctly i think you want something
more along the lines of

<FilesMatch "\..+$">
Order Deny,Allow
Deny from All
Allow from 127.0.0.1 localhost
</files>

Just off the top of my head though

Good luck.



On Sat, Oct 11, 2008 at 8:51 AM,  <mikesz at qualityadvantages.com> wrote:
> Hello NYPHP,
>
>  One of my sites went down yesterday with "Out of Bandwidth". When I
>  checked into it, a badguy had hijacked an application folder called
>  /xml that usually contains one php file that serves the application
>  menu system. I have no idea why the software developer chose this
>  method. The /xml folder is read only (and has always been read only)
>  Yesterday, in addition to the single php file, /xml contained a
>  subfolder called odg which contained a porn distribution application
>  with thousands of images that it was serving the planet though
>  mediacatch.com and myhostdyn.com among others. I have no idea how
>  the badguy got in and my ISP doesn't have a clue either. I got them
>  to delete the junk because the badguy used a Unix system account to
>  create the junk and I was unable to delete with the permissions I
>  have.
>
>  Now with that gone, I decided to add a .htaccess file to further
>  restrict access to the /xml folder but when I did, the .htaccess
>  file does not respond at all. Here is what I put in there:
>
> Options -Indexes
>
> order deny,allow
>
> <files "*.*">
> Deny from All
> </files>
>
> <files "*.*">
> Allow from 127.0.0.1 localhost
> </files>
>
> I expected that if I tried to access that folder directly that I would
> get a 403 but instead I got the application intro screen?
>
> I checked my test system also and when I do a directory the /xml
> folder, it shows me the content of the folder which is yet another
> outcome unexpected.
>
> The question I have is Does a folder named /xml have any special
> status or significance on a linux box that would cause it to act
> differently than say, an /includes folder that usually generates a
> blank screen?
>
> Any clues would be greatly appreciated. Notice that I haven't gotten
> into the hack at all, no idea how it happened and the ISP is really
> vague about what might have happened but is pointing the finger to my
> app and, of course, his server is completely secure, btw, its a shared
> server. My guess if that the bad guy ripped off the system account and
> ran amok on it but nobody is even hinting that this could be a
> possibility, to the contrary. Getting back to the /xml, why would I be
> getting the bizarre behavior from it?
>
> TIA
>
> --
> Best regards,
>  mikesz                          mailto:mikesz at qualityadvantages.com
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20081011/6d5dca11/attachment.html>

More information about the talk mailing list